Italian Privacy Authority’s opinion on green pass’ checks

The Italian Data Privacy Authority has published its favorable opinion (n. 363 of October 11, 2021) on the scheme of DPCM October 12, 2021, which introduces new methods of verification of the green pass in public and private employment. The following are the main points of the opinion to be taken into account in the organization of green pass checks.

General considerations

The checks must not involve the collection of data from the person concerned in any form, except those strictly necessary, in the workplace, to the application of the measures resulting from the lack of certification, without acquiring data that may, even indirectly, reveal health conditions or personal beliefs. 

Only employees who are actually on duty and have access to the workplace may be checked, excluding employees who are absent due to holidays, illness, leave or who work in remote working.

Employees will have to be duly informed by their employer about data processing through a specific information notice.

Considerations on the technical solutions used and being adopted (VerificationC19, SDK, NoiPa Platform, INPS Portal and applicative interoperability)

In case of verification through the app VerificaC19, should not be shown to the verifier elements, such as wording (“Certification valid only in Italy”) or colours (blue screen), likely to reveal the existence of a particular condition at the basis of the issuance of certification (e.g. first dose vaccine). Therefore, the app needs to be modified.

The system used to verify the green pass through SDK application development package (free license software that can be integrated to the access control systems/turnstiles) will have to limit the processing of personal data to relevant information and operations strictly necessary to verify the validity of Covid-19 green certificates, introducing the prohibition of storing the QR code of Covid-19 green certificates under check, as well as to extract, consult, record or otherwise process for further purposes the information gathered from the reading of the QR code and the information provided as a result of the checks, in compliance with the rules prohibiting the processing of detailed information, including information relating to the health, privacy or personal beliefs of the persons checked (art. 88 of the Regulation and 113 of the Code).As regards verification through the NoiPa platform (for participating PA’s bodies and entities), the INPS portal (for employers with more than 50 employees who are not members of NoiPa) or through interoperable applications, the national platform-DGC will only display the information on whether or not the employee has a valid green pass, avoiding the processing of further information stored or processed within the national platform-DGC.